Re: Feature request: include script file into function body - Mailing list pgsql-bugs
| From | Pavel Stehule |
|---|---|
| Subject | Re: Feature request: include script file into function body |
| Date | |
| Msg-id | AANLkTimyizgftsdi4br6U=heyhBFs4kUYOYm10DS+-5e@mail.gmail.com Whole thread Raw |
| In response to | Re: Feature request: include script file into function body (Steve White <swhite@aip.de>) |
| Responses |
Re: Feature request: include script file into function body
|
| List | pgsql-bugs |
Hello 2011/2/1 Steve White <swhite@aip.de>: > Hi Tom, > > This seems like a detail that is beside the point I'm making. > But security is important, so let's think about it. > > PostgreSQL has an \i command, which loads the text from any readable file > interpretes and executes it as further PostgreSQL commands. =C2=A0I'm pro= posing > a similar mechanism that would load a file containing script language, and > process it as though it were in the current funcition body. > > Isn't the \i command a similar security hole? if you ran psql under "postgres" account, then it is. I don't think, so your idea is good too. What about caching? Code of stored procedures stays in session cache. Who will ensure, so your cache is fresh? Why you need a direct link to source files? Regards Pavel Stehule > > If somehow loading script text for a function is substantially different > from loading it by \i, and if there is some problem, it seems to me that > some simple restriction could solve it, such as restricting the directori= es > from which such files can be read. =C2=A0But I'm just guessing here. > > I'll leave it to the security experts explicitly by amending my original > proposal with this: > > =C2=A0 =C2=A0 =C2=A0 =C2=A0" -- without doing anything stupid that would = open a security hole." > > Cheers again! > > > On =C2=A01.02.11, Tom Lane wrote: >> Steve White <swhite@aip.de> writes: >> > It would be really nice to have a way to load script (especially Python >> > and Perl) from a separate file into a function body. >> >> This seems like a security hole, ie, you could use it to read any file >> the backend has access to. >> >> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 regards, tom lane >> > > -- > | - =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2= =A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0= - =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- > | Steve White =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 +49(331)7499-202 > | E-Science =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0Zi. 27 =C2=A0Villa Turbulenz > | - =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2= =A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0= - =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- > | Astrophysikalisches Institut Potsdam (AIP) > | An der Sternwarte 16, D-14482 Potsdam > | > | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz > | > | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 > | - =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2= =A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0= - =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- =C2=A0- > > -- > Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-bugs >
pgsql-bugs by date: